On the security of arbitrated quantum signature schemes 



(N 

o 



Urn Chengqing Li, 1,2 Zhonghua Wen, 1 Wcizhong Zhao, 1 and W. H. Chan 3 

College of Information Engineering, Xiangtan University, Xiangtan ^11105, China 
2 Department of Electronic and Information Engineering, 
The Hong Kong Polytechnic University, Hong Kong 
3 Department of Mathematics and Information Technology, 
The Hong Kong Institute of Education, Hong Kong 

Due to potential capability of providing unconditional security, arbitrated quantum signature 
(AQS) schemes, whose implementation depends on the participation of a trusted third party, received 
intense attention in the past decade. Recently, some typical AQS schemes were cryptanalyzed and 
improved. In this paper, we analyze security property of some AQS schemes and show that all 
the previous AQS schemes, no matter original or improved, are still insecure in the sense that the 
messages and the corresponding signatures can be exchanged among different receivers, allowing 
the receivers to deny accepting the signature of an appointed message. Some further improvement 
methods on the AQS schemes are also discussed. 
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Digital signature, as an electronic equivalent to hand- 
written signature in online transactions, is a very impor- 
tant cryptographic primitive and has many different uses. 
For instance, it can be used to authenticate the identity 
of the originator, ensure data integrity, and provide non- 
repudiation service. At present, classical (digital) signa- 
ture has been widely used in electronic commerce and 
other related fields. Unfortunately, most existing clas- 
sical signature schemes whose security depends on the 
difficulty of solving some hard mathematical problems 
were threatened by quantum computation Therefore, 
researchers turn to investigate its quantum counterpart 
with the hope that quantum signature can become an al- 
ternative to classical signature and provide unconditional 
security. 

Generally, a quantum signature scheme is believed to 
be unconditionally secure if the following two basic re- 
quirements are satisfied even though powerful quantum 
cheating strategies exist and unlimited computing re- 
sources are available: 1) the attacker (or the malicious 
receiver) cannot forge the signature; 2) disavowal of the 
signatory and the receiver is impossible. In 2002, un- 
conditionally secure quantum signature was proved to be 
impossible by Barnum et al. 0] . Even the result is disap- 
pointing, Zeng and Keitel proposed an arbitrated quan- 
tum signature (AQS) scheme with the aid of a trusted 
third party named arbitrator (3|. Afterwards, Li et al. 
found that the arbitrator is unnecessary to entangle with 
the other two participants in the AQS scheme presented 
in Ref. Q and thus the three-particle entangled GHZ 
states used in the scheme can be replaced with two- 
particle entangled Bell states Q ■ In addition, the prepa- 
ration and distribution of Bell states are much easier 
to be implemented than that of GHZ states with the 
present-day technologies. So, Li et al. proposed a more 
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efficient AQS scheme using Bell states Q. Zou et al. 
showed both the two schemes proposed in Ref. Q and 
Ref. [If are insecure since they could be repudiated by 
the receiver Bob and presented two AQS schemes claimed 
to fix the secure problem But Hwang et al. pointed 
out in Ref. @ that the arbitrator cannot solve the dis- 
pute between the signatory Alice and the receiver Bob 
when Bob claims a failure in the verification phase of the 
scheme proposed by Zou et al. Besides, some other se- 
curity problems of these typical AQS schemes were also 
been discovered 

In this paper, we study security of all the above men- 
tioned AQS schemes [3|-|5| and find that a common prob- 
lem existing in the AQS schemes: different receivers can 
exchange their signed messages and the corresponding 
signatures arbitrarily, and thus they can deny the ac- 
ceptance of the signature of an appointed message. The 
reason why this security problem exist is also analyzed 
in detail and the two AQS schemes presented by Zou et 
al. are selected as examples to study. In addition, we 
also discussed some potential improvement methods for 
enhancing the security of AQS schemes. 

The rest of the paper is organized as follows. Section U 
introduces the AQS scheme with entangled states given 
in Ref. Q and analyzes its security. Section |H] deals 
with the AQS scheme without entangled states proposed 
by Zou et al. in .3). Some discussions for improving the 
security of AQS schemes are given in Sec. IIIII The last 
section concludes the paper. 



I. SECURITY ANALYSIS OF THE AQS 
SCHEME WITH ENTANGLED STATES 



In this section, we will briefly introduce the AQS 
scheme with entangled states proposed in Ref. and 
then present security analysis on it. 
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A. The AQS scheme with entangled states 

The AQS scheme with entangled states proposed by 
Zou et al. in Ref. [|[ involves three participants, namely 
signatory Alice, receiver Bob, and the arbitrator, and 
consists of three phases: the initializing phase, the sign- 
ing phase, and the verifying phase, which are described 
as follows. 

A. The initializing phase 

Step 71: The arbitrator shares keys K A and Kb with 
Alice and Bob, respectively, through quantum key distri- 
bution protocols proposed in Refs. [ll|, X\% . which have 
been proved to be unconditionally secure [l3l [lij . 

Step 12: Alice generates N Bell states \tp) = 
(|Vi), IV2), • • • , \M) with |V0 = 75 (|00} AB + \U)ab), 
where the subscripts A and B correspond to Alice and 
Bob, respectively. Then she distributes one particle of 
each Bell state to Bob employing a secure and authenti- 
cated method 0, EH ■ 

B. The signing phase 

Step SI: Alice transforms the message \P) into \P') = 
E r (\P)) according to a randomly chosen number r G 
{00, 01, 10, 11}^. 

Step #2: Alice generates \S A ) = E Ka (\P')). 

Step 5*3: Alice combines each message state and the 
Bell state to obtain the three-particle entangled state 

\<k) = \p'i)®\il>i) 

+ |fe>A(Oi|0>fl-/Si|l>B) (1) 

+ \i>+ 2 ) A ( ai \l) B +(3A0) B ) 
+\iii 2 ) A (ai\l)B-pi\0)B)}, 

where \^>i 2 )a, \4>i2lA, 1^)4, and \ipi 2 ) A represent the 
four Bell states respectively [16J ■ 

Step SA: Alice implements a Bell measurement on each 
\<f>i) and obtains M A = (M A , M\, • ■ ■ , M A ), where M\ 
represents one of the four Bell states. 

Step Sh: Alice transmits the signature \S) = 
(\P'),\S A ), \M A )) to Bob. 

C. The verifying phase 

Step VI: Bob encrypts \P') and \S A ) using the key Kb 
and sends the resultant outcome \Y B ) = Ek b (\P'), \S a )) 
to the arbitrator. 

Step V2: The arbitrator decrypts \Y B ) with Kb and 
gets \P') and \S A ). Then he encrypts \P') with K A and 
obtains St- If \St) = \S A ), the arbitrator sets the veri- 
fication parameter V — 1, otherwise sets V = 0. 

Step V3: The arbitrator obtains \P') from \St) and 
sends the encrypted results \Yt) = Ek b {\P'}, \S A ),r) to 
Bob. 

Step V4: Bob decrypts \Yt) and obtains \S A ), 
and r. If r = 0, Bob rejects the signature, otherwise Bob 
makes further verification. 



Step V5: According to Alice's measurement outcomes 
M A and Eq. (p}, Bob obtains \P' B ) via teleportation. If 
\P' B ) 7^ |-f")> Bob rejects the signature, else informs Alice 
to publish r. 

Step V6: Alice announces r through the pubic board. 

Step VI: Bob recovers \P) from according to r 
and takes (\S A ),r) as the final signature of the message 
\P)- 



B. Security analysis 

Hwang et al. presented the dcniability dilemma in the 
above AQS scheme @. They found the arbitrator cannot 
solve the dispute if Bob claims \P' B ) 7^ \P') in Step V5 
since the following three cases may occur: 1) Bob told 
a lie; 2) Alice sent a incorrect information to Bob; and 
3) Eve disturbed the communication. However, if Bob 
made such an allegation, the verification process cannot 
be completed and a new signature task should be started. 
So, here we show that the receiver Bob can repudiate the 
acceptance of a signature related to a given message after 
finishing the verification process successfully. 

First let Alice sign the message \P)b for Bob and the 
message \P)c f° r Charlie. Actually, \P)b is favorable 
to Charlie, and \P)c is beneficial to Bob. Then Bob 
and Charlie can be shown to exchange their messages 
and the corresponding signatures by using the following 
method. In step 12, after Alice distributes particles of 
Bell states to Bob and Charlie, Bob and Charlie exchange 
the particles they get. Similarly, after step 55, Bob sends 
the qubit string \S) B = (\P')b, \S A )b, \M a )b) to Char- 
lie and Charlie returns \S) C = (\P')c, \S A )c, \M A )c) to 
Bob. Then Bob can verify the validity of the signature 
\S A )c for the message \P)c with the help of the arbitra- 
tor, and Charlie can check whether \S A ) B is the signa- 
ture of \P)b with the aid of the arbitrator. Obviously, if 
Alice's signatures are valid, Bob and Charlie can finish 
the verification processes successfully. After that, Bob 
gets Alice's signature for the message \P)c and Char- 
lie obtains Alice's signature related to the message \P)b- 
Therefore, even if there are disagreements between Alice 
and Bob or between Alice and Charlie afterwards, Bob 
still can deny accepting the signature \S a )b of the mes- 
sage \P)b, and Charlie also can disavow the acceptance 
of the signature \S A )c related to the message \P)c- Fur- 
thermore, the arbitrator is not able to settle the dispute 
since they passed the verification processes. 



II. SECURITY ANALYSIS OF THE AQS 
SCHEME WITHOUT ENTANGLED STATES 

This section reviews the AQS scheme without entan- 
gled states proposed by Zou et al. in Ref. Q, and then 
analyzes the security of the scheme. 
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A. The AQS scheme without entangled states 

The AQS scheme without entangled states also in- 
volves three participants, namely signatory Alice, re- 
ceiver Bob, and the arbitrator, and consists of the fol- 
lowing three phases. 

A. The initializing phase 

Step II: The arbitrator shares keys Ka and Kb with 
Alice and Bob, respectively. In addition, Alice and Bob 
shares the key Kab- 

B. The signing phase 

Step SI: Alice chooses a random number r G {0, 1} 2N 
and computes \P'} = E r (\P)) and \R AB ) = M Kab {\P')). 

Step S2: Alice generates \S A ) = E Ka {\P')). 

Step Si: Alice generates the signature \S) = 
Ek ab (\P'), \Rab), \Sa)) and transmits it to Bob. 

C. The verifying phase 

Step VI: Bob obtains \P'), \R A b), and \S A ) by de- 
crypting | S) with the key Kab- Then he generates 
\Yb) — Ek b (\P'), \S a )) and sends it to the arbitrator. 

Step V2: The arbitrator decrypts \Yb) with Kb and 
gets \P') and \S A ). 

Step V3: The arbitrator obtains \P T ) from \S A ) and 
compares it with \P'). If \P T ) = \P'), he sets the verifi- 
cation parameter Vr = 1, else sets Vr = 0. The arbitra- 
tor announces the value of Vr via the public board. If 
Vt = 1, he reproduces Yb and resends it to Bob. 

Step VA: If Vr = 0, Bob rejects the signature, other- 
wise Bob decrypts \Yb) and obtains \P') and \S A ). Then 
he computes \P' B ) = M^ 1 (\R A b)) and compares it with 
|P'). If = | J"), he sets the verification parameter 
Vb = 1, else sets Vb = 0. Bob announces the value of 
Vb via the public board. 

Step V5: If Vb = 0, Alice and the arbitrator abort the 
scheme, otherwise Alice announces r through the public 
board. 

Step V6: Bob recovers \P) from \P') by r and takes 
(\S A ), r) as Alice's final signature of the message \P). 

B. Security analysis 

In this subsection, we show that the arbitrator also 
cannot solve the disagreements between signatory and 
receiver for the AQS scheme without entangled states if 
the following case happens. 

Suppose Alice intend to sign the message \P) for Bob. 
Afterwards, Bob finds the message \P) is useless or unfa- 
vorable to him but beneficial to Charlie. Then by doing 
the following steps, Charlie can get the signature for \P) 
without being detected by Alice. 

• First, when Bob receives \S) = Ek ab {\P') , 
\Rab), \S a )) related to the message \P) from Al- 
ice after step 5*3, he decrypts it with the key K A b 



and obtains \P'), \Rab), and \S A ). In addition, 
Bob gets another version of \P') by decrypting Rab 
with the key Kab- 

• Second, Bob transmits two versions of \P') and 
\Sa) to Charlie through an authenticated channel. 

• Third, after Charlie has received what Bob sent, he 
encrypts \P') and \Sa) with the key Kq shared with 
the arbitrator to obtain \Yq) = Ek c (\P'}, \S a )). 

• At last, the encrypted result \Yc) is sent to the 
arbitrator. 

Apparently, Charlie can implement the verification pro- 
cedure like a honest receiver and get the signature of \P) 
if it is a valid one made by Alice. Furthermore, the ar- 
bitrator and Alice cannot discover the fact. Therefore, if 
there are disputes between Alice and Bob, Bob can deny 
that he has accepted the signature of the message |P), 
and Charlie can claim the signature of \P) does come 
from Alice if disagreements between Alice and Charlie 
exist. 



III. POSSIBLE ENHANCEMENTS 

In this section, we first analyze two reasons why AQS 
schemes are easy to suffer deniability dilemma problem, 
and then propose the corresponding improve methods. 

One reason is that the signatory Alice cannot identify 
the real receiver. In other words, there is no relationship 
between the signed message and the real receiver. There- 
fore, different receivers can exchange their messages and 
the corresponding signatures arbitrarily and thus repu- 
diate accepting signatures for appointed messages. An- 
other reason is that when participants announce random 
numbers or values of verification parameters, the identi- 
ties of them and the announcement time are not pub- 
lished together. So, the arbitrator cannot distinguish 
which opened information is related to a specified mes- 
sage during a certain period. 

According to the above analysis, we can take the fol- 
lowing three measures to enhance the security of AQS 
schemes. 

• First, the signatory Alice's signature not only in- 
cludes the message, but also the identity of the re- 
ceiver. Although the property of receivers' denia- 
bility is not always necessary in a signature scheme, 
it is quite useful in some special circumstances. For 
instance, suppose Alice sign a contract with Bob for 
a thousand dollars goods. If Bob can deny that he 
has accepted the contract with the help of another 
receiver Charlie and ask Alice to do the same thing 
again, it is quite unfair for Alice. 

• Second, when participants are required to announce 
random numbers or values of verification parame- 
ters, their identities and the announcement time 
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should be also attached. So the arbitrator and the 
signatory can distinguish when the verification of 
signatures related to appointed messages is imple- 
mented and who participate in the verification pro- 
cess. 

• Third, before the signatory Alice start a signature 
procedure, she can tell the arbitrator who will be 
the receiver at first. 



IV. CONCLUSION 

In this paper, we have shown two typical AQS schemes 
still suffer the security problem, namely receivers can 
deny any signature for an appointed message after the 
AQS procedures have been completed successfully. That 
is because a signed message is unrelated to a receiver, 
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